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Setting  the  Stage 

•  What  policy  developments  took  place  in  February  201 3? 

•  Why  are  these  developments  important? 
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Developments  During  the  Week  of  Feb.  12,  2013 


President's  State  of  the  Union  Address 


Executive  Order 

(Improving  Critical  Infrastructure  Cybersecurity) 


Presidential  Policy  Directive  -  PPD  21 

(Critical  Infrastructure  Security  and  Resilience) 


\z 


NIST's  Plans  for  Developing  a 
Cybersecurity  Framework 
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Why  are  these  developments  important? 


"...85  percent  of  our  nation's 
critical  infrastructure  is 
controlled  not  by  government 
but  by  the  private  sector..." 


—The  9/11  Commission  Report 
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Critical  Infrastructure 


"...  Systems  and  assets ,  whether  physical  or 
virtual,  so  vital  to  the  United  States  that  the 
incapacity  or  destruction  of  such  systems 
and  assets  would  have  a  debilitating  impact 
on  security,  national  economic  security, 
national  public  health  or  safety,  or  any 
combination  of  those  matters ..." 


—Title  42,  Code  of  Laws  of  the  United  States  of  America 
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Why  are  these  developments  important? 


"...  the  ability  to  prepare  for  and  adapt  to 
changing  conditions  and  withstand  and 
recover  raoidlv  from  disruptions. 
Resiliencejjkludes  the  ability  to 
withstand  and  recover  from  deliberate 
attacks ,  accidents,  or  naturally  occurring 
threats  or  incidents..." 


— Presidential  Policy  Directive  —  PPD  21 

(February  12,  2013) 
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Critical  Infrastructure  Sectors 


•  Chemical 

•  Commercial  Facilities 

•  Communications 

•  Critical  Manufacturing 

•  Dams 

•  Defense  Industrial  Base 

•  Emergency  Services 

•  Energy 

•  Financial  Services 

•  Food  and  Agriculture 

•  Government  Facilities 

•  Health  Care  and  Public  Health 

•  Information  Technology 

•  Nuclear  Reactors,  Materials,  and  Waste 

•  Transportation  Systems 

•  Water  and  Wastewater  Systems 
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Kinetic  Disruptions  to  Critical  Infrastructure 
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Cybersecurity  Disruptions  to  Critical  Infrastructure 
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More  companies  reporting  cybersecurity 
incidents 


By  Ellen  Nakashima  and  Danielle  Douglas,  Published:  March  i 

At  least  19  financial  institutions  have  disclo 
computers  were  targets  of  malicious  cybera 
among  corporations  about  the  breadth  of  c} 
sector. 
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S.  Banks:  Worst  Yet  to  Come? 


In  their  annual  financia 
such  as  Bank  of  Americ 
institutions,  have  repor' 
intrusions. 


Gartner 
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That's  a  viable  h 
they  had  staged 
Tuesday  the  tod 
against  a  single  bank  at  110  gigabits. 


banks 


e  third  of  the  bandwidth 
Tuesday  Reportedly  on 
with  the  largest  attack 


Interestingly  the  attackers  could  have  easily  done  even  more  damage  but  they  chose  not  to. 
9200  bots  were  identified  as  attack-capable  but  the  total  number  of  bots  actually  involved  in 
sending  the  DDoS  traffic  to  the  banks  numbered  only  about  3200.  The  other  6000  bots  sat  there 
doing  nothing. 
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Why  are  these  developments  important? 

In  the  past,  there  have  been  executive  orders,  presidential 
policy  directives,  and  legislative  actions  with  major  effects  on 

•  disaster  planning 

•  crisis  management 

•  identity  management 

•  emergency  communications 

•  critical  infrastructure  protection 

•  application  of  DR/BC/InfoSec  national  &  international  standards 


Conditions  are  ripe  for  recent  policy  developments  to 
significantly  affect  cybersecurity  and  resiliency  landscapes. 
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Historical  Background 

•  Source  of  Federal  Regulations 

•  Existing  Federal  Regulations 

•  Congressional  Activities 

•  Presidential  Executive  Orders 

•  Presidential  Policy  Directive 


Sources  of  Federal  Regulations 


In  the  United  States,  cybersecurity  and  resiliency  regulation 
comprises 


Legislation 
from  Congress 


Directives 

from  the  Executive  Branch 
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Existing  Federal  Regulations 

There  are  few  cybersecurity  and  resiliency  regulations. 
The  ones  that  exist  focus  on  specific  industries. 


The  three  main  existing  cybersecurity  regulations  are 


1996  Health  Insurance  Portability  and  Accountability  Act 

Health  Care 
Organizations 

1999  Gramm-Leach-Bliley  Act 

Financial 

Institutions 

2002  Homeland  Security  Act,  which  included  the 

Federal  Information  Security  Management  Act  (FISMA) 

Federal 

Agencies 
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Congressional  Cybersecurity  Activities 


Congress  has  been  holding  hearings  related  to  cybersecurity 
every  year  since  2001 . 


Most  recently: 


Number  of  bills  and  resolutions  introduced  with 
provisions  related  to  cybersecurity 

111th  Congress 

(January  2009  -  January  2011) 

60+ 

112th  Congress 

(January  2011  -  January  2013) 

40+ 

113th  Congress 
(as  of  May  22,  2013) 

17 
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Cybersecurity  Legislation 


The  Obama  Administration  sent  Congress  a  package  of 
legislative  proposals  in  May  201 1 

•  to  give  the  federal  government  new  authority  to  ensure  that 

corporations  that  own  the  assets  most  critical  to  the  nation’s  security 
and  economic  prosperity  are  adequately  addressing  the  risks  posed 
by  cybersecurity  threats. 


No  comprehensive  cybersecurity  legislation 
has  been  enacted  since  2002. 
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What  Are  Presidential  Executive  Orders? 


U.S.  presidents  issue  executive  orders  to  help  officers  and 
agencies  of  the  executive  branch  manage  the  operations 
within  the  federal  government. 


Executive  Orders,  by  4-Year  Administration 
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http://heathenrepublican.blogspot.com/2012/10/on-unprecedented-use-of-executive-orders.htnnl 
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What  Are  Presidential  Executive  Orders? 


Executive  orders  have  the  full  force  of  law. 


Typically  made  in  pursuance  of  certain  acts  of  Congress, 
some  of  which  specifically  delegate  to  the  president  some 
degree  of  discretionary  power 


Or  are  believed  to  take  authority  from  power  granted  directly 
to  the  executive  by  the  Constitution 
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What  Are  Presidential  Directives? 


A  form  of  an  executive  order  issued  by  the  president  of  the 
United  States 

•  with  the  advice  and  consent  of  the  National  Security  Council 

Articulate  the  executive's  national  security  policy. 

They  carry  the  full  force  and  effect  of  law. 


Since  many  presidential  directives  pertain  to  the  national 
security  of  the  United  States,  many  are  classified. 
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Presidential  Memorandum,  August  21, 1963 


President  Kennedy  established  the  National 
Communications  System  (NCS) 

After  the  Cuban  missile  crisis 

The  NCS  mandate  included  linking,  improving,  and  extending 
the  communications  facilities  and  components  of  various 
federal  agencies,  focusing  on  interconnectivity  and 
survivability. 
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E.0. 12472  -April  3,1984 


Assignment  of  National  Security  and  Emergency 
Preparedness  Telecommunications  Functions 


Superseded  President  Kennedy's 
original  1963  memorandum 


Broadened  the  NCS 


National 

Communications 

System 
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PPD-63  -  May  22, 1998 


Critical  Infrastructure  Protection 

Set  national  goal: 

•  The  ability  to  protect  the  nation’s  critical  infrastructure  from 
intentional  attacks 

•  Any  interruptions  in  the  ability  of  these  infrastructures  to  provide  their 
goods  and  services  must  be  “brief,  infrequent,  manageable, 
geographically  isolated,  and  minimally  detrimental  to  the  welfare  of 
the  United  States." 
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Homeland  Security  Act  of  2002 

Was  introduced  in  the  aftermath  of 

•  September  1 1  attacks 

•  mailings  of  anthrax  spores 

Established  the 


•  Department  of  Homeland  Security  (DHS) 

•  cabinet-level  position  of  secretary  of  homeland  security 


THE 

HOMELAND 
SECURITY 
ACT  OF 
2002 


Ready. 

Prepare.  Plan.  Stay  Informed. 
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HSPD-7  -  December  7,  2003 


Critical  Infrastructure  Identification, 
Prioritization,  and  Protection 


Replaced  PPD-63 

Aimed  to  unify  protection  efforts  for 
critical  infrastructure  and  key  resources 
(CIKRs)  across  the  country 


Focus  of  HSPD-7 
Terrorist  attacks 
Physical  systems 
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vs 


E.0. 13407  -  June  26,  2006 

Public  Alert  and  Warning  System 

Following  Hurricane  Katrina 


Ordered  DHS  to  establish  a  new  program  to  integrate  and 
modernize  the  nation's  existing  population  warning  systems, 
such  as 


•  Emergency  Alert  System  (EAS) 

•  National  Warning  System  (NAWAS) 

•  Commercial  Mobile  Alert  System  (CMAS) 

•  NOAA  Weather  Radio  All  Hazards 

Subsequently  termed  the  Integrated 
Public  Alert  and  Warning  System  (IPAWS) 
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Description  of  February 
2013  Policy  Developments 

•  Executive  Order  No.  13636 

•  Presidential  Policy  Directive  (PPD)  21 

•  NIST  Initiated  Development  of  a  Cybersecurity  Framework 
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Executive  Order 


Executive  Order  No. 

•  13636 

Issuance  Date 

•  Tuesday,  February  12,  2013 

Title 

•  Improving  Critical  Infrastructure 
Cybersecurity 

Overall  Objective 

•  To  enhance  the  security  and 
resilience  of  the  nation's  critical 
infrastructure 

Classification 

•  Unclassified 
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Presidential  Policy  Directive 


Presidential  Policy  Directive  No. 

•  PPD-21 

Issuance  Date 

•  Tuesday,  February  12,  2013 

Title 

•  Critical  Infrastructure  Security 
and  Resilience 

Classification 

•  Unclassified 


the  WHITE  HOUSE  president barack obama 


the  ADMINISTRATE 


Home  •  Briefing  Room  •  Statements  &  Releases 

The  White  House 

Office  of  the  Press  Secretary 


#  Tweet  □  Share  + 


For  Immediate  Release 


February  12, 2013 


Presidential  Policy  Directive  —  Critical  Infrastructure 
Security  and  Resilience 

PRESIDENTIAL  POLICY  DIRECTIVE/PPD-21 
SUBJECT:  Critical  Infrastructure  Security  and  Resilience 

The  Presidential  Policy  Directive  (PPD)  on  Critical  Infrastructure  Security  and  Resilience  advances  a  national 
unity  of  effort  to  strengthen  and  maintain  secure,  functioning,  and  resilient  critical  infrastructure. 


Introduction 

The  Nation’s  critical  infrastructure  provides  the  essential  services  that  underpin  American  society.  Proactive  and 
coordinated  efforts  are  necessary  to  strengthen  and  maintain  secure,  functioning,  and  resilient  critical 
infrastructure  -  including  assets,  networks,  and  systems  -  that  are  vital  to  public  confidence  and  the  Nation's 
safety,  prosperity,  and  well-being. 

The  Nation's  critical  infrastructure  is  diverse  and  complex.  It  includes  distributed  networks,  varied  organizational 
structures  and  operating  models  (including  multinational  ownership),  interdependent  functions  and  systems  in 
both  the  physical  space  and  cyberspace,  and  governance  constructs  that  involve  multi-level  authorities, 
responsibilities,  and  regulations.  Critical  infrastructure  owners  and  operators  are  uniquely  positioned  to  manage 
risks  to  their  individual  operations  and  assets,  and  to  determine  effective  strategies  to  make  them  more  secure 
and  resilient. 


Critical  infrastructure  must  be  secure  and  able  to  withstand  and  rapidly  recover  from  all  hazards.  Achieving  this 
will  require  integration  with  the  national  preparedness  system  across  prevention,  protection,  mitigation, 
response,  anj 
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Messages  of  Executive  Order  &  PPD 


“...Our  country’s  reliance  on 
cyber  systems  to  run 
everything  from  power  plants 
to  pipelines  and  hospitals  to 
highways  has  increased 
dramatically ,  and  our 
infrastructure  is  more 
physically  and  digitally 
interconnected  than  ever...” 


“...The  cyber  threat  to  critical 
infrastructure  continues  to 
grow  and  represents  one  of 
the  most  serious  national 
security  challenges  we  must 
confront...” 


“...Steps  must  be  taken  to  enhance  existing 
efforts  to  increase  the  protection  and  resilience 

of  critical  infrastructure ,  while  maintaining  a 
cyber  environment  that  encourages  efficiency, 
innovation,  and  economic  prosperity,  while 
protecting  privacy  and  civil  liberties... ” 
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Overall  Objectives  of  EO  and  PPD 


To  strengthen  the  security  and  resilience  of  critical 
infrastructure  against  evolving  threats  through  an 
updated  and  overarching  national  framework  that 
acknowledges  the  increased  role  of  cybersecurity 
in  securing  physical  assets. 


Together,  the  EO  and  PPD  create  an 
opportunity  to  reinforce  the  need  for  holistic 
thinking  about  security  risk  management  and 
drive  action  toward  a  whole  of  community 
approach  to  security  and  resilience. 
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Sections  of  the  Executive  Order 


Policy 


Critical  Ini 


icture 


Policy  Coordina 


Cybersecurity  Inform 


Privacy  and  Civil 
Consultative  Pro 
Baseline  Framev\ 
Voluntary  Critica 
Identification  of  C 
Adoption  of  Frarr 


It  is  the  policy  of  the  United  States  to 
enhance  the  security  and  resilience  of  the 
nation 's  critical  infrastructure  and  to 
maintain  a  cyber  environment  that 
encourages  efficiency,  innovation,  and 
economic  prosperity  while  promoting 
safety,  security,  business  confidentiality, 
privacy,  and  civil  liberties. 


ICEIW 
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Sections  of  the  Executive  Order 


•  Policy 

•  Critical  Infrastructure 


Policy  Coordination 
Cybersecurity  Information  Sharing 


Privacy  and  Civil  Liberties  Pro 
Consultative  Process 


I  —  X. 


Baseline  Framework  to  Reduce  n:~' 

DHS  to  establish  a  new 


Voluntary  Critical  Infrastructure 


Identification  of  Critical  Infrastri  provide  both  classified  and 


Adoption  of  Framework 


information  sharing  program  to 


unclassified  threat  and  attack 
information  to  U.S.  companies 


lCEIW 
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Sections  of  the  Executive  Order 


Policy 

Critical  Infrastructure 
Policy  Coordination 
Cybersecurity  Information  Sharing 


Privacy  and  Civil  Liberties  Protections 


Consultative  Process 


Baseline  Framework  to  Reduce  Risk 


Voluntary  Critical  Infrastructure 


Identification  of  Critical  Infrastructur 
Adoption  of  Framework 


I  Infrastructure 


Agencies  are  required  to 
incorporate  privacy  and  civil 
liberties  safeguards  in  their 
cybersecurity  activities. 
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Sections  of  the  Executive  Order 


Policy 

Critical  Infrastructure 
Policy  Coordination 


NIST  to  lead  the  development  of  a 
Cybersecurity  Framework  to  reduce 
risk  to  critical  infrastructure 


ions 


Cybersecurity  Information  Sh 


Privacy  and  Civil  Liberties 


Consultative  Process 


Baseline  Framework  to  Reduce  Risk  to  Critical  Infrastructure 
Voluntary  Critical  Infrastructure  Cybersecurity  Program 
Identification  of  Critical  Infrastructure  at  Greatest  Risk 
Adoption  of  Framework 
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Sections  of  Presidential  Policy  Directive 


Introductio 
Policy 

Roles  and  Responsibilitie 
Three  Strategic  Imperatives 


Innovation  and  Research  a 

Implementation  of  the  Dire 

Designated  Critical  Infrastr 
and  Sector-Specific  Agenc 

Definitions 


Critical  infrastructure  must  be 
secure  and  able  to  withstand  and 
rapidly  recover  from  al[  hazards. 

This  directive  establishes  national 
policy  on  critical  infrastructure 
security  and  resilience. 
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Sections  of  Presidential  Policy  Directive 


Introduction 


Sections  of  Presidential  Policy  Directive 


Introduction 
Policy 
Roles  and 


Responsibilitie  encourage 


Calls  for  a  comprehensive  R&D  plan  for 
critical  infrastructure  to  guide  the 
government's  effort  to  enhance  and 

market-based  innovation 


Three  Strategic  Imperatives 


Innovation  and  Research  and  Development 


Implementation  of  the  Directive 


Designated  Critical  Infrastructure  Sectors 
and  Sector-Specific  Agencies 

Definitions 
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Sections  of  Presidenti 


Introduction 

Policy 

Roles  and  Responsibilities 
Three  Strategic  Imperatives 


Innovation  and  Research 


Implementation  of  th 


1. 

2. 

3. 

4. 

5. 

6. 

7. 

8. 

9. 

10. 
11. 
12. 

13. 

14. 

15. 

16. 


Chemical 

Commercial  Facilities 
Communications 
Critical  Manufacturing 
Dams 

Defense  Industrial  Base 
Emergency  Services 
Energy 

Financial  Services 

Food  and  Agriculture 

Government  Facilities 

Health  Care  and  Public  Health 

Information  Technology 

Nuclear  Reactors ,  Materials ,  &  Waste 

Transportation  Systems 

Water  and  Wastewater  Systems 


Designated  Critical  Infrastructure  Sectors 
and  Sector-Specific  Agencies 


Definitions 
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RESILIENCE ...  the  ability  to  prepare  for 
and  adapt  to  changing  conditions  and 
withstand  and  recover  rapidly  from 
disruptions .  Resilience  includes  the 
ability  to  withstand  and  recover  from 
deliberate  attacks,  accidents,  or 
naturally  occurring  threats  or  incidents. 


Policy  Directive 


Three 

Innov 


Desk 

V 

and  J 


ic  Imperatives 


nd  Research  and  Development 


Imple  itation  of  the  Directive 


ited  Critical  Infrastructun 
iCtor-Specific 


Definitions 


ALL  HAZARDS ...  natural  disasters, 
cyber  incidents,  industrial 
accidents,  pandemics,  acts  of 
terrorism,  sabotage,  and 
destructive  criminal  activity 
targeting  critical  infrastructure. 
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PPD-21  Replaces  HSPD-7  of  2003 

To  account  for 

•  new  risk  environment 

•  key  lessons  learned 

•  drive  toward  enhanced  capabilities 


HSPD-7 

Terrorist  attacks 
Physical  systems 


_ PPD-21 _ 

Security  &  resilience  of  Cl 
(protection  +  operating  under  stress) 

All  hazards 

Recognizes  that  Cl  cybersecurity  is 
a  matter  of  national  security 
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Aspects  of  OE/PPD  Related  to  Framework 

NIST  shall 

•  develop  a  cybersecurity  framework  (CSF) 

DHS  shall 

•  establish  a  voluntary  program  to  promote  the  adoption  of  the  CSF 

Regulatory  agencies  shall 

•  review  the  framework  and  determine  if  current  regulations  are 
sufficient 

•  develop  new  regulations  if  current  ones  are  insufficient 
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NIST  Framework  Development  Process 


Engage  the 
Framework 
Stakeholders 


Collect, 

Categorize,  &  Post 
RFI  Responses 


Analyze  RFI 
Responses 


Select  Framework 
Components 


Prepare  &  Publish 
Preliminary 
Framework 


Release  Official 
Framework 


v_ 


1 CEFtf  ~ 


February  2013  -  NIST  Issues  RFI 
April  3,  2013  -  1st  Framework  Workshop 
April  8,  2013  -  Post  RFI  Responses 
May  15,  2013  -  Identify  Common  Practices/Themes 
May  29-31,  2013  -  2nd  Framework  Workshop 
June  2013  -  Draft  Initial  Framework 
July  2013  -  3rd  Framework  Workshop 
September  2013  -  4th  Framework  Workshop 
October  2013  -  Publish  Preliminary  Framework 
November  2013  -  5th  Framework  Workshop 
December  2013  -  Public  Comment  Period 
February  2014  -  Release  Official  Framework 
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Closing  Thoughts 
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Observation 


Taking  actions  “before”  &  “after”  major  national  disruptive  events 


•  After  Cuban  Missile  Crisis 

-  Presidential  Memorandum  of  August  21,  1963  (NCS) 

•  After  September  11 

-  HSPD  1,  5,  7,  8,  12,  20,  21 

-  Homeland  Security  Act  of  2002 

-  PS-PREP 

•  After  Mailings  of  Anthrax  Spores 

Homeland  Security  Act  of  2002  (DHS) 

•  After  Hurricane  Katrina 

-  EO-13407  (I PAWS) 


•  PPD-63  (CIP) 

•  EO-13636  and  PPD-21  (Cl  Security  and  Resilience) 
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Observation: 


PPD-21  accounts  for 

•  new  risk  environment 

•  key  lessons  learned 

•  drive  toward  enhanced  capabilities 


HSPD-7 

Terrorist  attacks 
Physical  systems 


_ PPD-21 _ 

Security  &  resilience  of  Cl 
(protection  +  operating  under  stress) 

All  hazards 

Recognizes  that  Cl  cybersecurity  is 
a  matter  of  national  security 
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Observation  (&  Question  to  Be  Considered) 


Policies  and  doctrines  around  kinetic  attacks  on  U.S.  interests 
are  mature,  but  they  fail  to  provide  needed  clarity  when 
applied  to  cyber-based  attacks,  especially  those  of  foreign 
state  actors. 


For  example... 
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Question:  Enable  Active  Defenses? 


An  active  shooter  in  a  bank  lobby  would  likely  meet  deadly 
force  in  response. 

Should  organizations  be  legally  allowed  to  fight  back  when 
under  cyber  attack? 

Do  we  need  policies  and 
regulations  governing  such 
active  cyber  defenses? 
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U.S.,  Firms  Draw  a  Bead  on  Chinese  Cyberspies 


By  DANNY  YADRON  and  SIOBHAN  GORMAN 

The  U.S.  government  gave  American  Internet  providers  addresses  linked  to 
suspected  Chinese  hackers  earlier  this  year  as  part  of  a  previously  undisclosed  effort 
aimed  at  blocking  cyberspying.  current  and  former  U.S.  officials  said. 


The  push  reflects  a  significant  shift  in 
levels  of  cooperation  between  the 
government  and  Internet  companies 

- :-i  - i - i~ —  u 


The  efforts  represent  a  rare  alimose  info  what  NSA  Director  Gen.  Keith  Alexander 
and  other  officials  cafl^active  defense7jjfl)hich  they  characterize  as  exercising 
self-defense  in  cyberspace.  How  such  activities  are  executed  remains  largely 
cloaked  in  mystery. 
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Question:  National  Defenses 


If  a  foreign  state  fired  a  missile  at  a  U.S.  bank  HQ,  it  would 
meet  immediate  military  defense. 

Should  military-grade  cyber  defenses  be  deployed  to  protect 
U.S.  businesses  that  are  under  attack  by  foreign  states? 

Do  we  need  another  exception  to 
the  Posse  Comitatus  Act  to 
enable  military  cyber  response 
to  large-scale  cyber  attacks  on 
U.S.  critical  infrastructure? 
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Role  of  Federal  Government? 
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Should  Companies  Be  Required  to  Meet  Certain  Minimum  ^ 
Cybersecurity  Protections?  / 


By  SIOBHAN  GORMAN 

U.S.  companies  appear  to  have  lots  of  not-so-secret  secrets. 


Intelligence  reports,  for  instance,  say 
China  and  Russia  have  been  pilfering 
vast  quantities  of  secrets  from  U.S. 
companies,  while  U.S.  officials  say 
Iranian-backed  hackers  have  mounted  a 
relentless  campaign  against  U.S.  banks. 
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Role  of  Federal  Government? 
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A  Call  to  Arms  for  Banks 


Regulators  Intensify  Push  for  Firms  to  Better  Protect  Against  Cyberattacks 


Article 
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A  A 

By  MICHAEL  R.  CRITTENDEN 

WASHINGTON — U.S.  regulators  are  stepping  up  calls  for  banks  to  better-arm 
themselves  against  the  growing  online  threat  hackers  and  criminal  organizations  pose 
to  individual  institutions  and  the  financial  system  as  a  whole. 

The  push  comes  as  government  officials  grow  increasingly  concerned  about  the 
ability  of  a  cyber  attack  to  cause  significant  disruptions  to  the  financial  system.  Banks 
such  as  J.P  Morgan  Chase  &  Co.,  Bank  of  America  Corp.  [  BAC  +0.73%]  and  Capital 
One  Financial  Corp.  |  CQF  +0.70%  |  have  been  targeted  by  cyber  assaults  in  recent 
years,  including  potent ’'denial-of-service11  strikes  that  took  down  some  bank  websites 

ie rjBrrlT  m jji 


1 CEFtf  ~ 


Software  Engineering  Institute 


Carnegie  Mellon  University 


©2014  Carnegie  Mellon  University 


52 


Thank  you  for  your  attention... 
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